Before You Start #
- You must have an active Enterprise key
- You must have TLS enabled on your cluster
- You must have an Authentication Provider (IdP) set up
- Review the Access Control (RBAC) Roles & Permissions.
- Confirm you have the right role(s) to grant a user access to a given resource (e.g., you have the
projectOwner
role on a given project you wish to add other users to)
đĄ
You can check your current roles and permissions on a given project by running the following:
pachctl auth check project <project-name>
Roles: [projectOwner]
Permissions: [REPO_READ REPO_INSPECT_COMMIT REPO_LIST_COMMIT REPO_LIST_BRANCH REPO_LIST_FILE REPO_INSPECT_FILE REPO_ADD_PIPELINE_READER REPO_REMOVE_PIPELINE_READER PIPELINE_LIST_JOB REPO_WRITE REPO_DELETE_COMMIT REPO_CREATE_BRANCH REPO_DELETE_BRANCH REPO_ADD_PIPELINE_WRITER REPO_MODIFY_BINDINGS REPO_DELETE PROJECT_LIST_REPO PROJECT_CREATE_REPO PROJECT_DELETE PROJECT_MODIFY_BINDINGS]
How to Assign Roles to a User #
As Root Admin #
This guide assumes resources (projects, repositories) have already been created in your cluster.
âšī¸
You can skip steps 2 and 3 if you are using the MockIdP connector and just want to explore/practice, as you are already logged in as the admin
user. Even though you can assign permissions to new users in MockIdP, you cannot log in as them.
- Open your terminal.
- Connect as the root user using the following command:
pachctl auth use-auth-token
- Input your root token. If you did not initially set a
pachd.rootToken
orpachd.rootTokenSecretName
in your Helmvalues.yaml
configuration, the root token is autogenerated as a Kubernetes secret namedpachyderm-auth
that can be decoded and read using the following command:
kubectl get secret pachyderm-auth -o jsonpath="{.data.root-token}" | base64 --decode
- Verify you are connected as the root user by running the following command:
pachctl auth whoami
You are "pach:root"
- Run one of the following commands to assign a role:
Resource Type:
pachctl auth set project <project-name> <role-name> user:<username@email.com>
pachctl auth set repo <repo-name> <role-name> user:<username@email.com>
pachctl auth set enterprise clusterAdmin user:<email>
pachctl auth set <resource> <resource-name> [role1,role2 | none ] <prefix:subject>
Admin Roles | Project Roles | Repo Roles | Misc Roles |
---|---|---|---|
clusterAdmin | projectViewer | repoReader | debugger |
oidcAppAdmin | projectWriter | repoWriter | robotUser |
idpAdmin | projectOwner | repoOwner | pachdLogReader |
secretAdmin | projectCreator | ||
identityAdmin | |||
licenseAdmin |
- Confirm access by running the following command:
Resource Type:
pachctl auth get project <project-name>
user:lawrence.lane@hpe.com: [projectOwner]
pachctl auth get repo <repo-name>
user:lawrence.lane@hpe.com: [repoOwner]
You can also use these steps to update a users permissions.
As Project Owner #
- Open your terminal.
- Log in.
pachctl auth login
- Add a user and assign their role to a project that you own.
Resource Type:
pachctl auth set project <project-name> <role-name> user:<username@email.com>
pachctl auth set repo <repo-name> <role-name> user:<username@email.com>
pachctl auth set enterprise clusterAdmin user:<email>
pachctl auth set <resource> <resource-name> [role1,role2 | none ] <prefix:subject>
- Confirm access by running the following command:
Resource Type:
pachctl auth get project <project-name>
user:lawrence.lane@hpe.com: [projectOwner]
pachctl auth get repo <repo-name>
user:lawrence.lane@hpe.com: [repoOwner]